GitHub Secrets sometimes empty #27026
-
Recently I started noticing automatically created PR’s (like created by Dependabot) failing due to empty Secrets. When re-running the jobs all Secrets work again. The GITHUB_TOKEN does not seem to be affected. |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments
-
That change was intentional, because of a potential security problem: The GitHub BlogGitHub Actions: Workflows triggered by Dependabot PRs will run with read-only...GitHub Actions: Workflows triggered by Dependabot PRs will run with read-only permissions |
Beta Was this translation helpful? Give feedback.
-
Completely missed that, thank you. |
Beta Was this translation helpful? Give feedback.
-
airtower-luna:
What’s the fix for this? How do I get back to Dependabot working as expected in the most secure fashion? |
Beta Was this translation helpful? Give feedback.
-
Depends on the details of your workflow, but the changelog entry links to this article which discusses dangers and possibilities:
Keeping your GitHub Actions and workflows secure: Preventing pwn requestsIn this article, we’ll discuss some common security malpractices for GitHub Actions and workflows, and how to best avoid them. Our examples are based on real-world GitHub workflow implementation vulnerabilities the GitHub Security Lab has reported to... |
Beta Was this translation helpful? Give feedback.
That change was intentional, because of a potential security problem:
The GitHub BlogGitHub Actions: Workflows triggered by Dependabot PRs will run with read-only...
GitHub Actions: Workflows triggered by Dependabot PRs will run with read-only permissions